What is the true cost to companies of IT security?

Simon Trang Photo: Frank Lemburg/Fotostudio Wilder Research project led by the University of Göttingen develops assessment method of information technology security for businesses How can companies evaluate whether specific measures taken will strengthen their Information Technology (IT) security? How can they find out what the real costs to their business will be? Researchers are addressing these questions in their research collaboration "Processor-Informed Economic Evaluation and Selection of IT Security Measures" (ProBITS), led by the University of Göttingen. The Federal Ministry of Education and Research (BMBF) has funded the project for three years with a total of around 1.4 million euros. Due to the constantly changing level of threat, whether due to cyber-attacks or new legal requirements, companies are increasingly required to implement complex bundles of different computer programmes and other measures to ensure IT security. "In practice, we see that it is not only costly to implement such measures: in fact, as we have observed, these measures have a significant impact on everyday business. They can lead to business processes taking longer and can drive up costs. In addition, they can make business processes more complex and thus less flexible when they have to suddenly adapt to a new situation," explains Professor Simon Trang, Junior Professor for Information Security and Compliance at the University of Göttingen. Classic evaluation models of investment costing, such as the Return on Security Investment, fall short when it comes to evaluating other business costs, apart from the immediate financial impact of IT security measures.